Computer Security, the Blind Men and the Elephant
There is a classic tale that originated in India about a number of blind men that wanted to know what an elephant looks like. Each man touched a different part of the elephant’s body and therefore had a different mental image of the elephant. (Wikipedia: Blind Men and the Elephant) What does this tale have to do with computer security? Not all computer professionals have the same perspective or knowledge when it comes to computer security.
When people choose a computer profession, they usually specialize in a one or two areas – system administration, networking, programming, database management, security, etc. While it’s possible for someone to have a good working knowledge of other areas, to truly master one particular area means that a person has to sacrifice their knowledge in other areas. This includes specializing in certain vendor specific operating systems and/or applications. Not only that, some people have no interest in one or more of the other areas or vendor products, and as a result, have little or no knowledge about certain areas or products.
Microsoft Windows administrators, for example, may only know how to administer Windows systems and have absolutely no idea how to secure an Oracle database. They might have dabbled in programming and can perhaps write scripts, but have no idea of how to secure an enterprise grade application in Basic, C, Java, ASP or PHP. They know how to apply security settings and address vulnerabilities identified by an automated vulnerability scanner, but it’s very possible that they have no knowledge about hacking, host and network intrusion detection, computer forensics or incident response. They may have a general understanding of what’s involved, but not to the extent that they can do the job of a person responsible for that particular area. This applies to others that have specialized in specific areas as well.
While extensive knowledge about hacking is available in books and on the Internet, many computer professionals have never tried playing the role of a hacker in a test environment and attacked unpatched and misconfigured systems and applications – or applications they have written themselves. They’ve never placed malicious code on a system, taken remote control of a system using a Trojan, implanted malware on a Web page or exfiltrated data out of a database. They may not know what their own malicious activity looks like in computer security logs. As a result, many will never know that their systems or applications are hacked unless a security system raises an alert that there may be an issue.
As you might imagine, this lack of knowledge can be real problem for security personnel when it comes to working with other disciplines to secure systems, networks and applications. If a person doesn’t fully understand how something can be probed, attacked and exploited, how can that person truly understand weakness in what they are responsible for managing beyond what they are being told by security personnel – or vice-versa? The honest answer is, the person can’t.
Are you a computer professional? Do you know as much as you should about hacking and how it applies to your or other areas of expertise? If not, my book may give you some valuable insights into what you need to know.